aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Steffen <andreas.steffen@strongswan.org>2009-10-02 17:49:51 +0200
committerAndreas Steffen <andreas.steffen@strongswan.org>2009-10-02 17:49:51 +0200
commitdaaedcb9c28291fb911716b19dd4364ca1a847bd (patch)
tree3abf5a9e1889fa39bcedfb5ed8ab6fefbf501642
parent6f2f08fb8daf5604f5a83aeb42eff816d11fc0dc (diff)
downloadstrongswan-daaedcb9c28291fb911716b19dd4364ca1a847bd.tar.bz2
strongswan-daaedcb9c28291fb911716b19dd4364ca1a847bd.tar.xz
verify correctness of X.509 versions
Diffstat
-rw-r--r--src/libstrongswan/plugins/x509/x509_cert.c20
1 files changed, 18 insertions, 2 deletions
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 5c4e7a8ea..d672605f5 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -668,6 +668,7 @@ static const asn1Object_t certObjects[] = {
#define X509_OBJ_NOT_AFTER 9
#define X509_OBJ_SUBJECT 10
#define X509_OBJ_SUBJECT_PUBLIC_KEY_INFO 11
+#define X509_OBJ_OPTIONAL_EXTENSIONS 16
#define X509_OBJ_EXTN_ID 19
#define X509_OBJ_CRITICAL 20
#define X509_OBJ_EXTN_VALUE 21
@@ -705,7 +706,15 @@ static bool parse_certificate(private_x509_cert_t *this)
break;
case X509_OBJ_VERSION:
this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
- DBG2(" v%d", this->version);
+ if (this->version < 1 || this->version > 3)
+ {
+ DBG1("X.509v%d not supported", this->version);
+ goto end;
+ }
+ else
+ {
+ DBG2(" X.509v%d", this->version);
+ }
break;
case X509_OBJ_SERIAL_NUMBER:
this->serialNumber = object;
@@ -735,6 +744,13 @@ static bool parse_certificate(private_x509_cert_t *this)
goto end;
}
break;
+ case X509_OBJ_OPTIONAL_EXTENSIONS:
+ if (this->version != 3)
+ {
+ DBG1("Only X.509v3 certificates have extensions");
+ goto end;
+ }
+ break;
case X509_OBJ_EXTN_ID:
extn_oid = asn1_known_oid(object);
break;
@@ -1169,7 +1185,7 @@ static private_x509_cert_t* create_empty(void)
this->encoding = chunk_empty;
this->encoding_hash = chunk_empty;
this->tbsCertificate = chunk_empty;
- this->version = 3;
+ this->version = 1;
this->serialNumber = chunk_empty;
this->notBefore = 0;
this->notAfter = 0;
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-24 00:02:02 +0000